AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 151

A company uses an Amazon API Gateway regional REST API to host its application API. The REST API has a custom domain. The REST API's default endpoint is deactivated.

The company's internal teams consume the API. The company wants to use mutual TLS between the API and the internal teams as an additional layer of authentication.

Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. Use AWS Certificate Manager (ACM) to create a private certificate authority (CA). Provision a client certificate that is signed by the private CA.
• B. Provision a client certificate that is signed by a public certificate authority (CA). Import the certificate into AWS Certificate Manager (ACM).
• C. Upload the provisioned client certificate to an Amazon S3 bucket. Configure the API Gateway mutual TLS to use the client certificate that is stored in the S3 bucket as the trust store.
• D. Upload the provisioned client certificate private key to an Amazon S3 bucket. Configure the API Gateway mutual TLS to use the private key that is stored in the S3 bucket as the trust store.
• E. Upload the root private certificate authority (CA) certificate to an Amazon S3 bucket. Configure the API Gateway mutual TLS to use the private CA certificate that is stored in the S3 bucket as the trust store.

Correct answer: A, E

Explanation

Option A is correct because creating a private CA in AWS Certificate Manager and provisioning a client certificate signed by it is essential for mutual TLS. Option E is also correct as uploading the root CA certificate to the trust store allows the API Gateway to verify client certificates signed by that CA. The other options are incorrect as they either involve public CA certificates or inappropriate uses of S3 for storing the certificates and keys.